In October 2016 Labour requested clarification on the future of UK cybersecurity policy vis-a-vis Brexit by asking “When does the UK government intend to enshrine the provisions of the Network and Information Security directive into UK law, and can it confirm that this will take place before Britain leaves the European Union so that there is no difference in the regulation governing UK-based digital service providers when offering services within the UK or in the rest of Europe?”
- Relevant policy:
Directive on Security of Network and Information Systems
(See also: explanatory post)
- Commission Decision to establish a contractual public private partnership on cybersecurity (cPPP) (DSM)
Progress and developments:
- In October 2016 the UK opened its National Cyber Security Centre, a child organisation of GCHQ. It would naturally fulfil the role of the national cybersecurity authority as required by the Directive.
- In December 2016 a government report stated:
Government is separately considering whether additional regulation might be necessary for critical sectors, including in the context of the NIS Directive due to be implemented in 2018 as well as wider national infrastructure considerations….the detailed scope and security requirements for NIS implementation will be set out by Government in 2017, informed by the work of the NCSC and lead Government departments with relevant sectors alongside broader Government consideration of critical infrastructure.”
(Source: Cyber Security Regulation and Incentives Review (pdf), page 12, paragraph 4.10.
- In August 2017 a consultation opened on the UK implementation of the Directive. It closes on 30 September.